Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Program Name: Research and Development Cluster
ALN Number: Various
Federal Award Year: July 1, 2023 – June 30, 2024
Criteria
In accordance with 2 CFR 200.332, a pass through entity (PTE) must:
a. Ensure that every subaward is clearly identified to the subrecipient as a subaward and included the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass through entity must provide the best information available to describe the Federal award and subaward. Required information includes:
(xii) Assistance Listing number (ALN) and Title; the pass through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement (2 CFR section 200.332xxi)
b. Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as:
The subrecipient’s prior experience with the same or similar subawards;
(1) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program;
(2) Whether the subrecipient has new personnel or new substantially changed systems; and
(3) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency).
Additionally, 45 CRF section 75 303(a) states the non Federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
Condition
When subawards are made to subrecipients, the pass through entities are required to communicate the dollar amount made available under each Federal award and the Assistance Listings Number (ALN) at time of disbursement. The Health System does not have system in place to provide the ALN at the time of disbursement of funds.
During the year ended September 30, 2024, the Health System passed through $15,600,763 of federal funding to subrecipients. In order to assess the subrecipient’s risk of non compliance, The Health System has subrecipient monitoring policies and procedures in place which include the use of a risk assessment questionnaire. The risk assessment questionnaire includes considerations consistent with 2 CFR 200.332(b), including the entity’s prior experience and results of Uniform Guidance Audits, in addition to other factors. As part of our testing related subrecipient monitoring, we identified that for each of the 10 subrecipients selected for testwork, the Health System did not perform a risk assessment of the entity for purposes of determining the appropriate subrecipient monitoring related to the subaward. However, for these subrecipients, The Health System did perform monitoring procedures, including review of invoices for reimbursement, review of Research Performance Progress Reports, and review of Uniform Guidance Audit reports.
Cause
The condition found was primarily due to the monitoring procedures implemented by the Health System do not include a review to ensure that a risk assessment is performed for each active subrecipient, and the Health System does not have a mechanism in place to provide the ALN at the time of disbursement of funds to the subrecipient. The Health System has put efforts into the design and implement a risk assessment control process which commenced late in fiscal year 2024 and the ongoing efforts were not complete as of September 30, 2024.
Possible Asserted Effect
Failure to perform an annual risk assessment to determine appropriate subrecipient monitoring procedures may result in insufficient monitoring procedures being performed to detect subrecipient noncompliance with Federal statutes, regulations, and the terms and conditions of the award.
Failure to adequately communicate award identification information could result in the subrecipient not being able to adequately track and report the subawards received resulting in errors being reported on the schedule of expenditures of federal awards within a subrecipient’s annual single audit report and not being able to comply with required terms and conditions of the federal award.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend management continue to fully implement the designed policies, procedures, and internal controls to ensure subrecipient risk assessments are performed for each subrecipient to determine the appropriate subrecipient monitoring is performed in accordance with 45 CFR 75.352(d) and 45 CFR 75.352(e).
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.
Federal Agency: United States Department of Health and Human Services (HHS)
Federal Program: Research & Development
ALN Number: Various
Federal Award Years: Various
Criteria
Internal Controls
Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements of Federal Awards, (2 CFR 200) section 200.303(a) states, the non federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non federal entity is managing the federal award in compliance with federal statues, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition
The Health System utilizes Workday, a cloud based system, to provide human resources and payroll applications. The Health System’s management of Workday includes maintaining the application system layer of the information technology (IT) control environment. The Health System relies on the Workday vendor to support infrastructure layers through Service Organization Control (SOC) Type-1 reporting. Processes that support compliance and administration of the R&D program rely on Workday IT application controls.
The Health System also utilizes Infor, a cloud based system, as the entity’s general ledger. The Health System's management of Infor includes maintaining the application system layer of the IT control environment and relies on the Infor vendor to support infrastructure layers through SOC 1 reporting. Processes that support compliance and administration of the R&D program rely on Infor IT application control.
During our testing, we observed there were no inappropriate changes to the Workday and Infor application controls directly related to specific controls over compliance related to the R&D program, however we noted the following deficiencies in operating effectiveness of the Health System’s general IT controls environment:
Workday
1) The Health System performed and documented a Workday change review during the fiscal year; however, the supporting document did not include sufficient appropriate evidence demonstrating such review. Specifically, management maintained an Excel spreadsheet that noted the changes to the business process definitions were appropriate; however, there were no screenshots to document the completeness and accuracy of the report from the system, or evidence of the sign off by the reviewer. Additionally, we noted appropriate evidence of testing and/or approval was not maintained for 4 of 25 sampled changes during the period.
2) The Health System performed a Workday User Access Review (UAR) during the fiscal year and maintained certain evidence demonstrating the UAR occurred, including required access updates; however, the Health System did not maintain specific evidence that all users were reviewed, approved and updated where necessary (i.e. evidence of the completeness & accuracy for pre and post user listing was not available).
3) With respect to our access removal testing, we noted that the Health System implemented automated controls to remove terminated user access in both Workday and Infor, following processing in Workday. We also tested a sample of 25 terminated users to determine whether their access was removed timely and noted that 9 of the sampled users were not removed timely prior processing in Workday.
Cause
The conditions above relate to the following, respectively:
1) The condition occurred because the Health System did not formally define the procedures to establish requirements for the change review, including retaining evidence of the completeness and accuracy of the review. Additionally, management does not have a centralized process for maintaining evidence of testing and approval for changes.
2) The condition occurred because the Health System did not formally define the procedures to document a complete and accurate UAR.
3) The exception occurred due to delays in supervisors’ timely reporting of terminations.
Possible Asserted Effect
Failure to have a reliable general IT control environment over logical access and change management may result in unauthorized changes being made to Workday, which may result in erroneous reliance on the operating effectiveness of automated IT controls, over allowability. Failure to have effective internal controls over allowability may result in federal awards being utilized for unallowable expenditures not in accordance with the federal statues, regulations, and terms and conditions of federal awards.
Questioned Costs
None.
Statistical Sampling
The sample was not intended to be, and was not, a statistically valid sample.
Repeat Finding
Yes.
Recommendation
We recommend that management review and emphasize the change management policies and procedures with key personnel to help ensure that the Workday change review is performed to address change management risks for the system. In addition, we recommend that evidence related to the review, as well as the testing and approval of changes is maintained.
Additionally, we recommend that management maintain documentation of the completeness and accuracy of the user access review to ensure that all users are reviewed, approved, and corrective actions taken.
Views of Responsible Officials
Recommendation accepted. Please refer to corrective action plan.